From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 20 Jun 2017 10:50:36 +0000 (+0200)
Subject: ikev1: Only delete redundant CHILD_SAs if configured
X-Git-Tag: 5.6.0dr1~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=083208e805e67aad2ff58bb0d297b46dfff4573c;p=thirdparty%2Fstrongswan.git

ikev1: Only delete redundant CHILD_SAs if configured

If we find a redundant CHILD_SA (the peer probably rekeyed the SA before
us) we might not want to delete the old SA because the peer might still
use it (same applies to old CHILD_SAs after rekeyings).  So only delete
them if configured to do so.

Fixes #2358.
---

diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 48ec3e7f57..3472d2c351 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1805,8 +1805,12 @@ METHOD(task_manager_t, queue_child_rekey, void,
 		if (is_redundant(this, child_sa))
 		{
 			child_sa->set_state(child_sa, CHILD_REKEYED);
-			queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
+			if (lib->settings->get_bool(lib->settings, "%s.delete_rekeyed",
+										FALSE, lib->ns))
+			{
+				queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
 												protocol, spi, FALSE, FALSE));
+			}
 		}
 		else
 		{